From 2b41a215d7abe4fc21922df9df79ed284a8a60f7 Mon Sep 17 00:00:00 2001
From: Sukchan Lee <acetcom@gmail.com>
Date: Thu, 21 Jul 2022 00:02:31 +0900
Subject: [PATCH] Fixed the crash in UERANSIM 500 test (#1652)

---
 lib/sbi/context.c        | 12 +++++++++---
 lib/sbi/nghttp2-server.c |  4 +++-
 src/amf/amf-sm.c         | 16 ++++++++++++++++
 src/amf/context.c        |  5 +++++
 src/amf/context.h        |  1 +
 src/amf/nas-path.c       |  4 +---
 src/amf/ngap-path.c      |  6 ++++++
 7 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/lib/sbi/context.c b/lib/sbi/context.c
index 0228bd19e..9827c3c9f 100644
--- a/lib/sbi/context.c
+++ b/lib/sbi/context.c
@@ -1447,15 +1447,21 @@ void ogs_sbi_xact_remove(ogs_sbi_xact_t *xact)
     ogs_sbi_object_t *sbi_object = NULL;
 
     ogs_assert(xact);
+
+    xact = ogs_pool_cycle(&xact_pool, xact);
+    if (!xact) {
+        ogs_error("SBI transaction has already been removed");
+        return;
+    }
+
     sbi_object = xact->sbi_object;
     ogs_assert(sbi_object);
 
     ogs_assert(xact->t_response);
     ogs_timer_delete(xact->t_response);
 
-    /* If ogs_sbi_send() is called, xact->request has already been freed */
-    if (xact->request)
-        ogs_sbi_request_free(xact->request);
+    ogs_assert(xact->request);
+    ogs_sbi_request_free(xact->request);
 
     ogs_list_remove(&sbi_object->xact_list, xact);
     ogs_pool_free(&xact_pool, xact);
diff --git a/lib/sbi/nghttp2-server.c b/lib/sbi/nghttp2-server.c
index 3366afc3d..1ed54b9d3 100644
--- a/lib/sbi/nghttp2-server.c
+++ b/lib/sbi/nghttp2-server.c
@@ -307,7 +307,7 @@ static bool server_send_rspmem_persistent(
 
     stream = ogs_pool_cycle(&stream_pool, stream);
     if (!stream) {
-        ogs_error("stream has already been closed");
+        ogs_error("stream has already been removed");
         return true;
     }
 
@@ -435,6 +435,8 @@ static ogs_sbi_stream_t *stream_add(
 
     stream->session = sbi_sess;
 
+    ogs_list_add(&sbi_sess->stream_list, stream);
+
     return stream;
 }
 
diff --git a/src/amf/amf-sm.c b/src/amf/amf-sm.c
index 8a6e4fd58..0fd16d495 100644
--- a/src/amf/amf-sm.c
+++ b/src/amf/amf-sm.c
@@ -598,6 +598,22 @@ void amf_state_operational(ogs_fsm_t *s, amf_event_t *e)
                     break;
                 }
 
+                amf_ue = sess->amf_ue;
+                ogs_assert(amf_ue);
+                amf_ue = amf_ue_cycle(amf_ue);
+                ogs_assert(amf_ue);
+                ran_ue = ran_ue_cycle(amf_ue->ran_ue);
+                if (!ran_ue) {
+                    ogs_error("NG context has already been removed");
+                    break;
+                }
+
+                gnb = amf_gnb_cycle(ran_ue->gnb);
+                if (!gnb) {
+                    ogs_error("gNB context has already been removed");
+                    break;
+                }
+
                 ogs_error("[%d:%d] Cannot receive SBI message",
                         sess->psi, sess->pti);
                 if (sess->payload_container_type) {
diff --git a/src/amf/context.c b/src/amf/context.c
index 051530a80..ab4380bbb 100644
--- a/src/amf/context.c
+++ b/src/amf/context.c
@@ -955,6 +955,11 @@ int amf_gnb_sock_type(ogs_sock_t *sock)
     return SOCK_STREAM;
 }
 
+amf_gnb_t *amf_gnb_cycle(amf_gnb_t *gnb)
+{
+    return ogs_pool_cycle(&amf_gnb_pool, gnb);
+}
+
 /** ran_ue_context handling function */
 ran_ue_t *ran_ue_add(amf_gnb_t *gnb, uint32_t ran_ue_ngap_id)
 {
diff --git a/src/amf/context.h b/src/amf/context.h
index c5426f2ff..4b6da1806 100644
--- a/src/amf/context.h
+++ b/src/amf/context.h
@@ -637,6 +637,7 @@ amf_gnb_t *amf_gnb_find_by_addr(ogs_sockaddr_t *addr);
 amf_gnb_t *amf_gnb_find_by_gnb_id(uint32_t gnb_id);
 int amf_gnb_set_gnb_id(amf_gnb_t *gnb, uint32_t gnb_id);
 int amf_gnb_sock_type(ogs_sock_t *sock);
+amf_gnb_t *amf_gnb_cycle(amf_gnb_t *gnb);
 
 ran_ue_t *ran_ue_add(amf_gnb_t *gnb, uint32_t ran_ue_ngap_id);
 void ran_ue_remove(ran_ue_t *ran_ue);
diff --git a/src/amf/nas-path.c b/src/amf/nas-path.c
index 4de6c61d7..d313a100d 100644
--- a/src/amf/nas-path.c
+++ b/src/amf/nas-path.c
@@ -44,9 +44,7 @@ int nas_5gs_send_to_downlink_nas_transport(amf_ue_t *amf_ue, ogs_pkbuf_t *pkbuf)
     ran_ue = ran_ue_cycle(amf_ue->ran_ue);
     if (!ran_ue) {
         ogs_warn("NG context has already been removed");
-        ogs_pkbuf_free(pkbuf);
-
-        return OGS_ERROR;
+        return OGS_OK;
     } else {
         ngapbuf = ngap_build_downlink_nas_transport(
                 ran_ue, pkbuf, false, false);
diff --git a/src/amf/ngap-path.c b/src/amf/ngap-path.c
index ec2a485fa..d9090ee66 100644
--- a/src/amf/ngap-path.c
+++ b/src/amf/ngap-path.c
@@ -51,6 +51,12 @@ int ngap_send_to_gnb(amf_gnb_t *gnb, ogs_pkbuf_t *pkbuf, uint16_t stream_no)
     char buf[OGS_ADDRSTRLEN];
 
     ogs_assert(gnb);
+    gnb = amf_gnb_cycle(gnb);
+    if (!gnb) {
+        ogs_warn("gNB has already been removed");
+        return OGS_OK;
+    }
+
     ogs_assert(pkbuf);
     ogs_assert(gnb->sctp.sock);
     if (gnb->sctp.sock->fd == INVALID_SOCKET) {